The Google+ Bug Is More About The Cover-Up Than The Crime

The Google+ Bug Is More About The Cover-Up Than The Crime

Earlier this week, Google dropped a bombshell: in March, the company discovered a “bug” in its Google+ API that allowed third-party apps to access private data from its millions of users. The company confirmed that at least 500,000 people were “potentially affected.”

Google’s mishandling of data was bad. But its mishandling of the aftermath was worse. Google should have told the public as soon as it knew something was wrong, giving users a chance to protect themselves and policymakers a chance to react. Instead, amidst a torrent of outrage over the Facebook-Cambridge Analytica scandal, Google decided to hide its mistakes from the public for over half a year.

What Happened?

The story behind Google’s latest snafu bears a strong resemblance to the design flaw that allowed Cambridge Analytica to harvest millions of users’ private Facebook data. According to a Google blog post, an internal review discovered a bug in one of the ways that third-party apps could access data about a user and their friends. Quoting from the post:

Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.

The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.

It’s important to note that Google “found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.” Nevertheless, potential exposure of user data on such a large scale is more than enough to cause concern. A full list of the vulnerable data points is available here, and you can update the privacy settings on your own account here.

Potential exposure of user data on such a large scale is more than enough to cause concern.

What would this bug look like in practice? Suppose Alice is friends with Bob on Google+. Alice has shared personal information with her friends, including her occupation, relationship status, and email. Then, her friend Bob decides to connect to a third-party app. He is prompted to give that app access to his own data, plus “public information” about his friends, and he clicks “ok.” Before March, the app would have been granted access to all the details—not marked public—that Alice had shared with Bob. Similar to Facebook’s Cambridge Analytica scandal, a bad API made it possible for third parties to access private data about people who never had a chance to consent.

Google also announced in the same post that it would begin phasing out the consumer version of Google+, heading for a complete shutdown in August 2019. The company cited “low usage” of the service. This bug’s discovery may have been the final nail in the social network’s coffin.

Should You Be Concerned?

We know very little about whose data was taken by whom, if any, so it’s hard to say. For many people, the data affected by the bug may not be very revealing. However, when combined with other information, it could expose some people to serious risks.

Email addresses, for example, are used to log in to most services around the web. Since many of those services still have insecure methods of account recovery, information like birthdays, location history, occupations, and other personal details could give hackers more than enough to break into weakly protected accounts. And a database of millions of email addresses linked to personal information would be a treasure trove for phishers and scammers.

Furthermore, the combination of real names, gender identity, relationship status, and occupation with residence information could pose serious risks to certain individuals and communities. Survivors of domestic violence or victims of targeted harassment may be comfortable sharing their residence with trusted friends, but not the public at large. A breach of these data could also harm undocumented migrants, or LGBTQ people living in countries where their relationships are illegal.

Based on our reading of Google’s announcement, there’s no way to know how many people were affected. Since Google deletes API logs after two weeks, the company was only able to audit API activity for the two weeks leading up to the bug’s discovery. Google has said that “up to 500,000” accounts might have been affected, but that’s apparently based on an audit of a single two-week slice of time. The company hasn’t revealed when exactly the vulnerability was introduced.

Even worse, many of the people affected may not even know they have a Google+ account. Since the platform’s launch in 2011, Google has aggressively pushed users to sign-up for Google+, and sometimes even required a Google+ account to use other Google services like Gmail and YouTube. Contrary to all the jokes about its low adoption, this bug shows that Google+ accounts have still represented a weak link for its unwitting users’ online security and privacy.

It’s Not The Crime, It’s The Cover-Up

Google never should have put its users at risk. But once it realized its mistake, there was only one correct choice: fix the bug and tell its users immediately.

Instead, Google chose to keep the vulnerability secret, perhaps waiting for the backlash against Facebook to blow over.

Google wrote a pitch when it was supposed to write an apology.

The blog post announcing the breach is confusing, cluttered, and riddled with bizarre doublespeak. It introduces “Project Strobe,” and is subtitled “Protecting your data...” as if screwing up an API and hiding it for months was somehow a bold step forward for consumer privacy. In a section headed “There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations,” the company explains regarding the breach, then gives a roundabout, legalistic excuse for not telling the public about it sooner. Finally, the post describes improvements to Google Account’s privacy permissions interface and Gmail’s and Android’s API policies, which, while nice, are unrelated to the breach in question.

Overall, the disclosure does not give the impression of a contrite company that has learned its lesson. Users don’t need to know the ins and outs of Google’s UX process, they need to be convinced that this won’t happen again. Google wrote a pitch when it was supposed to write an apology.

In the wake of nationwide protests against the police killings of George Floyd and Breonna Taylor, we urge protestors to stay safe, both physically and digitally. Our Surveillance Self Defense (SSD) Guide on attending a protest offers practical tips on how to maintain your privacy and minimize your digital...

This is one of a series of blog posts about President Trump's May 28 Executive Order. Links to other posts are below. The inaptly named Executive Order on Preventing Online Censorship (EO) is a mess on many levels: it’s likely unconstitutional on several grounds, built on false premises, and...

With states beginning to ease shelter-in-place restrictions, the conversation on COVID-19 has turned to questions of when and how we can return to work, take kids to school, or plan air travel.Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in...

Stalkers and abusive partners want access to your device for the same reason governments and advertisers do: because “full access to a person's phone is the next best thing to full access to a person's mind,” as EFF Director of Cybersecurity Eva Galperin explains in her TED talk on “stalkerware”...

EFF is proud to announce a new addition to our crack advisory board: security expert and scholar Tadayoshi Kohno. A professor at University of Washington’s Paul G. Allen School of Computer Science & Engineering, Kohno is a researcher whose work focuses on identifying and fixing security flaws in emerging technologies...

This is a technical guide for administrators affected by the STARTTLS Everywhere project. Check out our overview post of the project! The STARTTLS policy list started off as a mechanism for mailservers to learn TLS information about other servers from EFF’s perspective. Since MTA-STS was launched, it has evolved...

This is an overview of the STARTTLS Everywhere project. If your mailserver is affected by these changes, check out our technical deep-dive to securing your mailserver! EFF started our STARTTLS Everywhere project in 2014, in a post-Snowden moment when the technology community banded together to push transport encryption...

UPDATE 4/10: We have edited this post to add details about Zoom’s new security features and defaults.Whether you are on Zoom because your employer or school requires it or you just downloaded it to stay in touch with friends and family, people have rushed to the video chat platform...